How to Enable Livepatching on Ubuntu Server

Managing Linux servers can feel like a chore specially if you have to perform repeated tasks.

Updating the server is one of those tasks. While you can opt to automatically install security updates on your server, it doesn't make you completely free from the maintenance task.

Why? Because the security updates to the kernel require restarting Ubuntu server.

If you use Ubuntu server on one of the cloud services like Linode, you'll notice that it notifies you that your system requires restart.

*** System restart required ***

What if I tell you there is a way to install all updates including the kernel updates without rebooting your server. It's called live kernel patching or live patching.

What is live patching?

Live patching is the process of applying security fixes to a running Linux kernel without rebooting the system.

The process is quite complex and risky and this is why it is not something that is available by default in Linux distributions.

Earlier Linux sysadmins had to do a lot of manual work to make a hot patch to kernel. Live patching support was added in Linux kernel itself from version 4.0. Which means your Ubuntu system should be supporting live patching.

However, you can always make sure that it is supported by using the following command in Ubuntu:

cat /boot/config-$(uname -r) | grep LIVEPATCH

If you see Y, it means that your kernel supports livepatching.

Now let's consider live kernel patching. You'll need a live patching service. There are a few tools that allow live patching of the Linux kernel. Like ksplice from Oracle or kGraft from SUSE and Livepatch by Ubuntu.

Keep in mind that live patching is sold as a service by companies like KernelCare. Ubuntu allows it for free for up to 3 servers per Ubuntu account (explained later).

Since the discussion here is about Ubuntu, it would be better to use the live patching service by Ubuntu itself.

Enabling Live Patching on Ubuntu server

Go to the webpage of Canonical Livepatch Service.

You'll have to create an account with Ubuntu One, if you don't have one already.

Once you are logged in, you can see the token for your account and a couple of commands that you'll have to use on the server for which you want to activate the live patching.

Once you have this token, log into your Ubuntu server.

Install the live patching tool first:

sudo snap install canonical-livepatch

And next, enable the live kernel patching with the token you have copied from your Ubuntu One account.

sudo canonical-livepatch enable ad108xxxxxxxxxxxxxxxxxxxxxxxxx

That's it. Now that you have live patching enabled, you don't need to worry about rebooting your server. Imagine the uptime your server will have.

Speaking of uptime, let me share the sysadmin anthem Uptime Funk. It's so relatable and funny parody video from SUSE Linux.

Don't reboot it, just patch :)